Data Protected - Australia
Last updated March 2024
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
The Commonwealth of Australia has enacted the Privacy Act 1988 (Cth) (the “Privacy Act”). It has also enacted other legislation specifying obligations and granting rights in relation to privacy and the handling of personal data, including the Taxation Administration Act 1953 (Cth), the Telecommunications Act 1997 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth).
Substantive amendments to the Privacy Act came into effect on 12 March 2014 in respect of a number of areas including direct marketing, privacy collection statements and privacy policies, collection of unsolicited personal data, disclosure of personal data outside Australia and credit reporting. Substantial penalties can be imposed for "serious" or "repeated" interferences with the privacy of data subjects.
The Australian Federal Government has, since 2020, been in the process of reviewing the Privacy Act. The Federal Government released the Privacy Act Review Report in February 2023 and a further response to that Report in September 2023. In this latest response, the Government agreed or agreed in-principle with 106 of 116 proposed Privacy Act reforms. The first tranche of reforms is expected in 2024, while more significant and material changes are subject to further consultation.
Separate to the federal Privacy Act, a number of Australian States and Territories have also enacted privacy legislation. In particular, New South Wales, the Australian Capital Territory, the Northern Territory, Queensland, Tasmania and Victoria all have specific privacy laws governing the handling of personal data by government agencies in those States and Territories. In addition, the Australian States and Territories have enacted a range of other legislation which prescribe obligations and rights relating to data handling and privacy. This other legislation addresses issues such as surveillance, use of criminal record information and use of health information. The remainder of this summary only considers the federal Privacy Act (except to the extent otherwise specified).
Entry into force
The Privacy Act came into effect on 1 January 1989. The Privacy Amendment (Private Sector) Act 2000 (Cth) came into effect on 21 December 2001, amending the Privacy Act to establish a national scheme to regulate private sector organisations' handling of personal data. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 came into effect on 12 March 2014, introducing the significant changes to the Privacy Act described above. The Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect on 22 February 2018, introducing a mandatory data breach notification regime into the Privacy Act. The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) came into effect on 13 December 2022, increasing the penalties for "serious" or "repeated" interferences with privacy and enhancing the powers of the Office of the Australian Information Commissioner (the “OAIC”).
_____________________________________________________________________ Top
National Supervisory Authority
Details of the competent national supervisory authority
Office of the Australian Information Commissioner ("Commissioner")
GPO Box 5218
Sydney
NSW 2001
The Commissioner heads the Office of the Australian Information Commissioner (the “OAIC”). In practice, the Commissioner is responsible for the majority of the privacy related functions of the OAIC, including the investigation of complaints made by data subjects.
The previous regulatory authority, the Office of the Privacy Commissioner, was integrated into the OAIC on 1 November 2010. The Commissioner now holds the dual role of Privacy Commissioner and Information Commissioner.
Notification or registration scheme and timing
There is no notification or registration scheme for organisations or agencies that handle personal data.
Exemptions to notification
Not applicable.
_____________________________________________________________________ Top
Scope of Application
What is the territorial scope of application?
The Privacy Act applies to the handling of personal data by federal government agencies and private sector organisations within Australia.
The Privacy Act also applies to the overseas activities of Australian organisations, and the activities of foreign organisations, that have an "Australian link". An organisation is considered to have a link with Australia if: (i) there is an organisational link: for example, the organisation is a company incorporated in Australia, or a trust created in Australia; or (ii) the organisation carries on business in Australia or an external territory
A 2023 Administrative Appeals Tribunal decision confirmed that the "carrying on business in Australia" test is the only requirement that must be established for a foreign corporation to have an "Australia link", and that once an "Australian link" is established, a foreign corporation's global data handling practices are subject to the Privacy Act (Clearview AI Inc and Australian Information Commissioner [2023] AATA 1069). The term "carrying on business in Australia" was interpreted broadly – the repeated collection or personal information from Australian servers was sufficient (despite the foreign corporation's lack of physical presence in Australia). As part of its Privacy Act review, the Federal Government has agreed that further consultation is required to determine whether there should be an additional requirement that personal information is connected to Australia in order to narrow the current scope.
If an organisation's overseas activity is required by the law of a foreign country, then that activity is not taken to amount to an interference with the privacy of a data subject under the Privacy Act. In 2022, the additional limb that required an organisation to also collect or hold personal information in Australia was removed.
Is there a concept of a controller and a processor?
The Privacy Act makes no distinction between entities which control, as opposed to process, personal data (although this is currently under consideration by the Federal Government as part of its Privacy Act review). Entities regulated by the Privacy Act are known as "APP entities". Any handling by APP entities of personal data, whether collecting, using, disclosing, holding or otherwise processing it either independently or on the instructions of another organisation, is potentially subject to regulation under the Privacy Act.
Are both manual and electronic records subject to data protection legislation?
Yes. The Privacy Act applies to any personal data that is collected, acquired or obtained from any source and by any means. The definition of personal data in the Privacy Act expressly includes reference to personal data whether recorded in a material form or not.
Are there any national derogations?
Generally, private sector organisations and federal government agencies are subject to the Privacy Act, and State and Territory government agencies are subject to separate State and Territory legislation.
The Privacy Act contains exemptions for certain organisations. For example, operators of small businesses (broadly, businesses with an annual turnover for the previous financial year of $3,000,000 or less) are not generally subject to the Privacy Act, except in specific circumstances, e.g. where the small business provides a health service and holds health information, discloses personal data for a benefit, service or advantage, or is a contracted service provider for a Commonwealth contract. As part of its Privacy Act review, the Federal Government has agreed in-principle that the small business exemption should be removed, provided that an impact analysis is conducted and appropriate support for small business is developed. This proposal is subject to further consultation.
There are also exemptions for the handling of personal data in relation to personal, family or household affairs, and for media organisations and political parties. However, there is no general exemption for not-for-profit organisations.
There is a limited exemption from the application of the Privacy Act for the sharing of personal data (other than sensitive data) between companies in the same group, whereby the collection and sharing of personal data between those companies will not be considered an interference with the privacy of an individual. However, principles regarding the disclosure of personal data outside Australia apply even where the relevant transfer is between group companies. In addition, in some circumstances there is an exemption from the Privacy Act for employers with respect to employee records. This is considered in more detail below.
_____________________________________________________________________ Top
Personal Data
What is personal data?
The Privacy Act defines personal data (referred to in the Privacy Act as “personal information”) to be “information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not". The distinction between this definition and the definition of personal data in the GDPR is unlikely to be substantive.
Is information about legal entities personal data?
No, unless the legal entity is a data subject (for example a sole trader), or the information identifies (or is capable of reasonably identifying) any individuals (for example, the employees, directors or customers of the legal entity).
However, certain information about legal entities will receive protection under the Privacy Safeguards where the information is "CDR data" under the Consumer Data Right regime (see "Rights to data portability" below).
What are the rules for processing personal data?
The Privacy Act does not specifically refer to “processing” personal data and there is no distinction between entities which control, as opposed to process, personal data. This means that any handling of personal data by APP entities, whether collecting, using, holding, disclosing, processing or otherwise, is potentially subject to the Privacy Act. The Privacy Act contains the Australian Privacy Principles (the “APPs”) that prescribe the rules for the collection, use, disclosure and protection of personal data, and that generally apply to both private sector organisations and federal government agencies.
While the APPs contain obligations which are broadly similar in operation and effect to the conditions for processing personal data, these provisions are dispersed throughout the APPs. The obligations in the Privacy Act are grouped according to the type of processing taking place, such as collection, use, disclosure or storage, or by the relevant right given to the data subject.
The APPs provide, as a general rule, that an organisation should only use or disclose personal data for the purpose for which it was collected. However, an organisation may use or disclose personal data about a data subject for another purpose (a secondary purpose) if the data subject has consented or the secondary purpose is related to the primary purpose and such use or disclosure might reasonably be expected by the data subject. If the personal data is sensitive personal data, the secondary purpose must be directly related to the primary purpose. There are also a number of exceptions to this general rule.
Are there any formalities to obtain consent to process personal data?
There are no specific formalities to obtain consent set out in the Privacy Act (except where an organisation wishes to obtain consent to cross-border disclosure, discussed further below). Consent can be express or implied, written or oral, but in any event requires, on the part of the relevant data subject both knowledge of the matter agreed to and voluntary agreement. The level of consent required in any particular case will depend upon, among other things, the seriousness of the consequences for the data subject if the personal data were to be used or disclosed.
The Australian Privacy Principles Guidelines issued by the Commissioner (the "APP Guidelines"), which are not legally binding but are intended to promote understanding and acceptance of the APPs, outline four key elements of valid consent, being: (1) the individual is adequately informed before giving consent; (2) the consent is given voluntarily; (3) the consent is current and specific; and (4) the individual has the capacity to understand and communicate their consent.
Are there any special rules when processing personal data about children?
There are no special rules in the Privacy Act relating to the processing (or otherwise) of personal data about children. However, the Commissioner's APP Guidelines on consent state that entities subject to the Privacy Act must assess, on a case-by-case basis, whether a data subject under the age of 18 has sufficient understanding and maturity to understand the particular processing of their personal data that is being proposed. If they do not possess this level of understanding, then parent or guardian consent may be required.
According to the Commissioner's guidance, where it is not practicable to assess the capacity of data subjects under the age of 18 on a case-by-case basis, the entity may presume that a data subject over the age of 15 has capacity to consent, unless there is something to suggest otherwise.
As part of its Privacy Act review, the Federal Government has indicated broad support to proposed reforms aimed at strengthening the protection of children, including the introduction of a Children's Online Privacy Code and other additional protections to apply specifically to children.
Are there any special rules when processing personal data about employees?
Employers will be exempt from compliance with the Privacy Act to the extent that they are collecting and using any employee records that are directly related to a current or former employment relationship. This exemption distinguishes Australian privacy regulation from other jurisdictions, which generally do not contain an equivalent exemption for employee records. However, as part of its Privacy Act review, the Federal Government has agreed in-principle that further consultation should be undertaken to assess how enhanced privacy protections for employees should be introduced.
Given the way the employee records exemption is framed, the exemption does not extend to an employer's handling of personal information relating to independent contractors. The scope of the employee records exemption has also been construed narrowly by Australian courts. In 2019, the Full Bench of the Fair Work Commission found that the exemption only applies in the case of employee records already held by the employer (Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946). That is, it does not exempt employers from their obligations under the Privacy Act in relation to the collection of employees' personal information.
In addition to the employee records exemption, there are some special rules for processing surveillance data about employees under state-based employee surveillance legislation, including a general requirement to provide prior notice to employees in relation any camera, computer and tracking surveillance conducted in the workplace. (For instance, under the Surveillance Devices Act 1999 (Vic), the Workplace Surveillance Act 2005 (NSW) and the Workplace Privacy Act 2011 (ACT)).
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
The Privacy Act defines sensitive personal data (referred to in the Privacy Act as “sensitive information”) in broadly the same way as the standard types of sensitive personal data.
Are there additional rules for processing sensitive personal data?
Generally, an organisation is not allowed to collect sensitive information from a data subject unless the data subject has consented and the personal data is reasonably necessary for one or more of the organisation's functions or activities. An organisation can collect sensitive information from a data subject without consent in certain limited circumstances, for example where collection is required by Australian law. Non-profit organisations may collect sensitive information from a data subject without consent if the information relates to the activities of the organisation and the information relates solely to members or individuals who have regular contact with the organisation in connection with its activities.
An organisation may only use or disclose sensitive data for a purpose other than the primary purpose of collection (a secondary purpose) if either: (i) the secondary purpose is directly related to the primary purpose of collection and such use or disclosure might reasonably be expected by the data subject; (ii) the data subject has consented to the secondary use or disclosure; (iii) the use or disclosure is authorised or required under law; or (iv) another relevant exception applies.
Are there additional rules for processing information about criminal offences?
The Privacy Act expressly classifies a criminal record as a type of sensitive information. Therefore, the rules are the same as for sensitive information (described above).
Are there any formalities to obtain consent to process sensitive personal data?
See “Are there any formalities to obtain consent to process personal data?” above. There are no additional specific formalities to obtain consent to process sensitive personal data.
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
There is no legal requirement under the Privacy Act to appoint a data protection officer. However, the APP Guidelines recommend that organisations consider appointing a designated privacy officer as part of good governance mechanisms to ensure compliance with the Privacy Act.
What are the duties of a data protection officer?
Not applicable (see above).
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
APP 1 requires that APP entities have a clearly expressed and up-to-date privacy policy that details the management of personal data by the organisation. The privacy policy must be made reasonably available, free of charge. The privacy policy must contain a range of information specified in APP 1, including (but not limited to), how the organisation collects and holds personal data, the purposes for which the organisation collects, holds, uses and discloses personal data, and data subjects' rights in relation to their personal information held by the organisation.
APP 1 also imposes a positive requirement on organisations to actively take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. What constitutes “reasonable steps” depends on a number of factors, such as the size and resources of the organisation, the nature of the personal data held and the practicality of implementing particular practices. The APP Guidelines, however, are clear that APP entities are not excused from implementing appropriate procedures on the grounds of inconvenience or cost. The APP Guidelines offer a number of examples of the practices that organisations should consider implementing (for example, regular staff training on the APPs and a proactive review and audit program for the organisation's implemented privacy practices, procedures and systems).
Are privacy impact assessments mandatory?
There is no express requirement to carry out privacy impact assessments (although the introduction of such a requirement is being contemplated as part of the Federal Government's Privacy Act review). However, as discussed above, APP 1 requires organisations to take "reasonable steps" to implement privacy practices, procedures and systems that will ensure compliance with the APPs. The APP Guidelines suggest that to comply with APP 1, organisations should consider conducting privacy impact assessments for new projects in which personal information will be handled, or when a change is proposed to existing data handling practices.
_____________________________________________________________________ Top
Rights of Data Subjects
Privacy notices
At or before the time of collection (or as soon as practicable afterwards) an organisation collecting personal data must take reasonable steps to make a data subject aware of a number of prescribed matters, including the identity of the organisation, the purposes of the processing, the types of organisations to whom the personal data may be disclosed and that the organisation's privacy policy contains certain information (for example, how to make a complaint).
Where personal data is not collected directly from the data subject, an organisation must take reasonable steps to make sure the data subject is informed of the same matters in respect of its indirect collection.
Rights to access information
As a general rule, an organisation must, upon request, give the data subject access to any personal data held about them. There are exceptions to this general rule, including where the provision of access to personal data could have an unreasonable impact on the privacy of other data subjects or where denying access is required or authorised by law.
Rights to data portability
An organisation must, following a valid request from a data subject, give access to the information in the manner requested by the data subject if it is reasonable and practical to do so. A data subject could use this right to ask for their personal data in a portable format. If the organisation does not provide access in the manner so requested by the individual, it will need to set out its reasons for not doing so in written notice to the individual.
In August 2019 the Australian Federal Government passed the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth), which created a framework for a national Consumer Data Right (the "CDR)" that provides consumers with further rights to data portability (outside of the Privacy Act). The CDR gives consumers the right to access specified categories of data held about them by designated organisations and efficiently transfer that data to (1) accredited third parties (which, as of July 2023, can now include bookkeepers, consultants and other advisors); and (2) specified unaccredited third parties (including lawyers, accountants, mortgage brokers and financial advisors).
Under the CDR regime, designated sectors of the economy are required to respond to requests from CDR consumers to transfer "CDR data", which includes any datasets that the Treasurer specifies under a designation instrument. The CDR is being rolled out in stages, which began with the banking sector on 1 July 2020, and the energy sector in 2022. From November 2024, the CDR is expanding into open finance, capturing non-bank lenders and buy now pay later product providers. Expansion into the telecommunications, insurance and superannuation sectors is currently on pause to allow the CDR regime to mature and to implement lessons learned from the banking and energy sectors.
CDR consumers include individuals and businesses who are identifiable or reasonably identifiable from CDR data (which is broader than the remit of personal data about a reasonably identifiable individual under the Privacy Act). Designated organisations are required to disclose CDR data in machine-readable form to accredited third parties, and in human-readable form to CDR consumers on request.
A strategic assessment of the CDR is planned by the Federal Treasury in late 2024 to inform future expansions and the implementation of action initiation for the CDR regime. The Treasury Laws Amendment (Consumer Data Right) Bill 2022 is currently before the Senate. If passed, the Bill will expand the CDR from a data sharing scheme to also enable CDR consumers to direct accredited persons to instruct on actions on their behalf. This would bring the CDR more in line with the UK, which already provides for action initiation (also known as "write access").
Right to be forgotten
Data subjects in Australia do not at present have a right to have their personal data erased, although the Federal Government has agreed in-principal to the introduction of such a right as part of its Privacy Act review.
Currently, the closest thing to a right of this nature in Australia is the data subject's right under APP 13, which grants data subjects a right to request to have their personal data corrected. An organisation must take reasonable steps to confirm and correct any personal data if it is satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. If an organisation refuses to correct personal data, it must give reasons to the data subject who has requested such correction and information about the mechanisms available to complain about the refusal.
Further, under APP 11.2, if an organisation holds personal data about a data subject and the organisation no longer needs it for any purpose for which it may be used or disclosed under the APPs, it must in most cases take reasonable steps to destroy or de-identify the information (see further under 'Security' below).
Objection to direct marketing
The APPs provide that organisations must not use or disclose personal data for direct marketing unless an exception applies.
The first exception applies where: (i) the organisation collected the data from the data subject (and the information was not sensitive information); (ii) the data subject would reasonably expect the organisation to use or disclose the information for direct marketing; (iii) the organisation provides a simple means by which the data subject can "opt out" of the direct marketing communications; and (iv) the data subject has not made a request to opt out.
The second exception applies where: (i) the personal data has been obtained from third parties or the data subject would not reasonably expect the data to be used for direct marketing; (ii) the data subject has given its consent to the use of the personal data for direct marketing (or it is impracticable to obtain that consent); (iii) the organisation provides a simple means by which the data subject can "opt out" of the direct marketing communications; (iv) each direct marketing communication contains a prominent "opt-out" notice; and (v) the data subject has not made a request to opt out.
The third exception applies where the personal data is sensitive information and the data subject has given their consent to the use or disclosure of the personal data for direct marketing.
A fourth exception applies for organisations contracted or sub-contracted under a government contract to provide services to the Commonwealth or a State or Territory. This includes, for example, contractors who provide services to Ministers or Departments.
APP 7 does not apply to the extent that the Do Not Call Register Act 2006 (Cth) or the Spam Act 2003 (Cth) apply. These Acts are described in more detail below (see ”ePrivacy – Marketing and cookies”).
Other rights
Wherever it is lawful and practicable, data subjects must have the option of not identifying themselves when dealing with the organisation.
As noted above, a data subject may submit a complaint to the Commissioner about an act or practice that may be an interference with the privacy of the data subject. The complaint may then be investigated by the Commissioner.
As part of its Privacy Act review, the Federal Government has agreed in-principle to introduce (1) a right to object to the collection, use or disclosure of personal information; (2) a direct right of action to enforce privacy obligations; and (3) a statutory tort of privacy, which would operate independently of an individual's ability to seek redress under the Privacy Act.
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
APP 11 requires an organisation to take active measures to ensure the security of personal data it holds, and to actively consider whether it is permitted to retain personal data. APP 11 requires organisations to take reasonable steps to protect the personal data they hold from misuse, interference and loss and from unauthorised access, modification or disclosure. APP 11 does not mandate any specific security obligations or standards.
The OAIC, however, has published a "Guide to securing personal information" (the "Guide to Securing Personal Information") which provides non-binding guidance on the reasonable steps organisations are required to take to protect the personal data they hold. According to the guide, reasonable steps require consideration of: (i) the nature of the organisation; (ii) the amount and sensitivity of the personal data held; (iii) the possible adverse consequences for an individual in the case of a breach; (iv) the practical implications of implementing the security measure, including the time and cost involved; and (v) whether a security measure is itself an invasion of privacy. This guide should be read in conjunction with the APP Guidelines and the Commission's "Data breach preparation and response" guide, which respectively outline the mandatory requirements of the APPs and for reporting eligible data breaches under the Privacy Act (see below).
Greater clarity on what "reasonable steps" for securing personal information involves is expected as part of the upcoming Privacy Act reforms.
Organisations also need to be aware of other laws (in addition to the APPs) that impose obligations in relation to personal data security. For example, credit reporting bodies and credit providers must comply with Part IIIA of the Privacy Act and the registered Credit Reporting Code, which require certain steps to be taken to maintain the security of credit reporting information (note that Part IIIA is currently under review by the Federal Government, with a report expected in October 2024). Likewise, a tax file number recipient must comply with the Privacy (Tax File Number) Rule 2015, and health care providers must comply with various health records acts. Due to the hundreds of laws requiring either retention or destruction of personal information, the Federal Government has agreed in-principle to assess whether these scattered legal provisions should be reformed.
Specific rules governing processing by third party agents (processors)
There are no specific rules governing the handling of personal data by third parties. The obligation placed on organisations under APP 11 to take reasonable steps to protect personal data from misuse, interference and loss and from unauthorised access, modification or disclosure, has the effect of requiring those organisations to take reasonable steps to ensure that any third party handling personal data on their behalf also takes the same or equivalent steps to protect that personal data. Ordinarily, this is satisfied by the first organisation imposing contractual requirements on the third party service provider / processor to handle any personal data received from the first organisation in accordance with the APPs and any additional data security requirements specified by the first organisation (including notification requirements in relation to actual or suspected data breaches). However, contractual requirements may not be sufficient to satisfy these requirements and the first organisation may need to take additional steps such as undertaking due diligence on the recipient organisation and exercising audit rights, where appropriate.
The Guide to Securing Personal Information referred to above also provides non-binding guidance in relation to the processing of personal data by third parties, as well as specific guidance in relation to third party providers of cloud computing. In particular, the OAIC states that to comply with APP 11, organisations must assess the security controls of the third party cloud computing provider, which may include consideration of their governance arrangements, controls relating to software security, access security and network security.
Notice of breach laws
The Privacy Amendment (Notifiable Data Breaches) Act 2017 amended the Privacy Act to incorporate a mandatory notifiable data breaches regime (the "NDB Scheme") that requires organisations to notify the Commissioner and affected data subjects if they believe that there has been an "eligible data breach".
An eligible data breach occurs where there is unauthorised access to, unauthorised disclosure of, or loss of, personal data held by an entity, and the relevant entity has reasonable grounds to believe that the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates. In this event, an entity must provide a statement to the Commissioner as soon as practicable, and must notify affected data subjects and/or data subjects at risk of serious harm as soon as practicable after notifying the Commissioner. The Commissioner may also direct an entity to make a notification in respect of an eligible data breach.
An exception to the notification requirement applies where an entity has taken remedial action early enough for serious harm not to have occurred or not to be likely to still occur.
Organisations who have reasonable grounds to suspect that an eligible data breach may have occurred also have obligations under the NDB Regime to promptly assess the situation and determine whether or not there has been an eligible data breach. An organisation must take all reasonable steps to complete this assessment within 30 calendar days from the time it first became aware of the relevant grounds for the suspicion.
As part of its Privacy Act review, the Federal Government has agreed in-principle to a 72-hour notification requirement in the event of an eligible data breach, aligning the NDB Scheme with other similar regimes under the Security of Critical Infrastructure Act 2018 (Cth) and APRA Prudential Standard CPS 234 (Information Security) and also other jurisdictions, such as the GDPR.
________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
As APP 8 regulates the “disclosure” of personal data overseas (as opposed to the “transfer” of information), APP 8 applies whenever an organisation makes personal data available to entities located outside Australia, even where the information continues to be stored in Australia.
APP 8 provides that, prior to disclosing personal data to a recipient who is located outside Australia, an organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal data. This requirement does not apply if either: (i) the overseas recipient is bound by a law or binding scheme that is substantially similar to the APPs that the data subject can enforce; (ii) the data subject consents to the disclosure of the personal data in the particular manner prescribed by APP 8; or (iii) another exception applies (for example, that the disclosure of the personal data is required by Australian law).
Obtaining the consent described above can be difficult because it requires the organisation to expressly inform the data subject that once disclosed, the organisation will not be accountable, and the individual will not be able to seek redress, under the Privacy Act, and in many cases the overseas recipient will not be subject to a similar overseas law that is enforceable by the data subject. Accordingly, in most cases the organisation must take "reasonable steps" to ensure that the overseas recipient does not breach the APPs prior to disclosing that information to the overseas recipient. The APP Guidelines indicate that taking "reasonable steps" usually involves the organisation obtaining a contractual commitment from the overseas recipient that it will handle the personal data in accordance with the APPs.
Further, unless an exception applies, the Privacy Act provides that if the overseas recipient does breach the APPs (despite the organisation having taken the "reasonable steps" referred to above), the organisation may be held accountable. This amounts to deemed liability falling upon the organisation for a breach committed by the overseas recipient.
Organisations also need to consider APP 11 when disclosing personal data to overseas recipients. The obligation to take reasonable steps to protect personal data from misuse, interference and loss and unauthorised access, modification or disclosure will apply to the disclosure of personal data to an overseas recipient. Organisations disclosing personal data to overseas recipients will need to ensure that the personal data will continue to be secure once disclosed (unless they have relied on the consent exception described above).
Notification and approval of national regulator (including notification of use of Model Contracts)
There is no additional right for (or obligation on) organisations to disclose personal data overseas on the basis of a prior notification and approval of the Commissioner.
Use of binding corporate rules
There is currently no regulatory mechanism in Australia for organisations to use binding corporate rules in respect of the cross-border disclosure of personal data. However, the existence of any binding corporate rules are relevant in the assessment of compliance with APP 8. As noted above, an organisation may disclose personal information to an overseas recipient without complying with the "reasonable steps" requirement in APP 8 where the overseas recipient is subject to a law or binding scheme that is substantially similar to the APPs. This includes where the overseas recipient is subject to binding corporate rules.
_____________________________________________________________________ Top
Enforcement
Fines
The Commissioner may apply to the Federal Court or the Federal Circuit and Family Court for an order that the organisation pay a penalty for "serious" or "repeated" interferences with privacy. The maximum penalty for an individual is $2.5 million. For a corporation, the maximum penalty is the greater of (1) $50,000,000; (2) three times the value of the benefit obtained attributable to the breach; or (3) if the court cannot determine the value of the benefit, 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention. These penalties constitute regulatory fines and cannot be used to compensate data subjects for breaches of the Privacy Act.
The Commissioner can also issue an infringement notice for failures to provide information when required by the Privacy Act. Unlike the penalties regime, the infringement notice powers do not require the Commissioner to commence proceedings in the Federal Court in order to impose a pecuniary penalty.
Additionally, it appears the Federal Government is seeking to bolster the Commissioner's regulatory and enforcement toolkit as part of its Privacy Act review, as it has agreed in-principle with the introduction of (1) a new mid-tier civil penalty provision to cover interferences with privacy which do not meet the threshold of being "serious"; (2) a low-tier civil penalty provision for specific administrative breaches; and (3) new infringement notice powers for failure to cooperate with efforts to resolve minor breaches.
Imprisonment
A breach of the Privacy Act does not result in criminal penalties. The Commissioner does not have the power to apply to a court for a criminal penalty (including imprisonment) for a contravention of the Privacy Act, or for a "serious" or "repeated" interference with privacy.
As part of the Privacy Act review, the Federal Government has agreed to consult on the possible introduction of a criminal offence for malicious re-identification of de-identified information where there is an intention to harm another or obtain an illegitimate benefit.
Compensation
In response to complaints made by data subjects, the Commissioner has the power, among other things, to attempt, by conciliation, to effect a settlement of the matters that gave rise to the investigation or to make a determination which includes declarations that: (i) the data subject is entitled to a specified amount to reimburse the data subject for expenses reasonably incurred in connection with the making and investigation of the complaint; (ii) the data subject is entitled to a specified amount as compensation; (iii) the organisation has engaged in conduct constituting an interference with the privacy of a data subject and that it must not repeat or continue such conduct; (iv) the organisation take specified steps within a specified period to ensure that such conduct is not repeated or continued; and (v) the organisation perform any reasonable act or course of conduct to redress any loss or damage suffered by the data subject.
A determination of the Commissioner regarding an organisation is not binding or conclusive. However, the data subject or the Commissioner has the right to commence proceedings in the court for an order to enforce the determination.
Other powers
The Commissioner also has the power to audit organisations (referred to in the Privacy Act as "assessments"), accept enforceable undertakings, develop and register binding privacy codes and seek injunctive relief in respect of contraventions of the Privacy Act.
The OAIC also has numerous information gathering and information sharing powers. These include the power to conduct assessments of organisations' complaints under the NDB Scheme, the right to require information in relation to an actual or suspected eligible data breach, and the right to share information with other enforcement bodies and with the public.
As part of its Privacy Act review, the Federal Government has agreed that the OAIC should be provided with additional powers to investigate in relation to the civil penalty provisions and the power to undertake public inquiries and reviews into specified matters on the approval or direction of the Attorney-General. The Government also agreed to enhanced information sharing powers to mitigate the impacts of a data breach, by giving the Attorney-General the power to permit limited sharing of information between entities, which would likely include disclosure to both government bodies and industry.
Practice
The OAIC has historically taken a conciliatory approach to enforcing the Privacy Act. That position has now altered and the Commissioner has adopted an increasingly more robust enforcement posture, characterised by more active enforcement action.
The OAIC's 2022/2023 Annual Report indicates that during that reporting period, the Commissioner issued nine privacy determinations, following investigations of privacy complaints, and closed 94% of complaints through early resolution and conciliation. The remedies included apologies, correcting personal data held, requiring the respondent to prepare an incident response plan, requiring the respondent to take specified steps to ensure the act or practice is not repeated or continued as well as compensation (ranging from A$ 1,500 to A$2,150).
During the same period, the Commissioner commenced 28 investigations on privacy matters and finalised 28. The OAIC received 895 notifications of data breaches under the NDB Scheme. In 2022/2023, Australians were impacted by the most significant data breaches since the commencement of the NDB Scheme. The OAIC launched investigations into the Optus, Medibank Private, Latitude Group and Australian Clinical Labs data breaches. In addition to the OAIC investigations, four data breach class actions were commenced against Optus and Medibank in 2023. Prior to that, only one data breach class action had been brought in Australia and it ultimately settled.
Consistent with the 2019/2020, 2020/2021 and 2021/2022 reporting periods, no enforceable undertakings were entered into by organisations in the 2022/2023 year. This relatively low overall level of enforceable undertakings is reflective of the Commissioner's preference to issue determinations (see the increase in number of determinations above) but contrasts with the higher level of undertakings accepted by the Australian Competition and Consumer Commission ("ACCC") in relation to competition and consumer law issues. Among other things, enforceable undertakings typically require organisations to implement recommendations and rectify deficiencies identified in relation to whether their practices, procedures and systems are reasonable to protect the personal data they hold.
For the first time in its history, the Commissioner commenced civil proceedings in the Federal Court in March 2020 alleging serious and/or repeated interferences with privacy and applying for a civil penalty. These proceedings against the US-based Facebook Inc. and Facebook Ireland are still ongoing. In November 2023, the Commissioner commenced civil proceedings against Australian Clinical Labs Limited following a data breach, alleging that it seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure. These proceedings are ongoing.
The ACCC is also taking an active interest in privacy practices. In July 2019, the ACCC released the Final Report from its Digital Platforms Inquiry, which contained a number of recommendations for reform to the Privacy Act to increase penalties for breach and to introduce direct rights of action for individuals. Under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth), the penalties have subsequently been increased (see above). The other proposals remain under consideration by the Federal Government as part of its review of the Privacy Act. The 8th interim report of the Digital Platform Services Inquiry is due in March 2024 and will consider a range of potential competition and consumer issues relating to the data-driven products and services supplied by data brokers in Australia.
Ahead of such reform, the ACCC has relied on existing legislation to address issues of transparency and adequate disclosure when digital platforms collect and use consumer data. It has primarily done this through the prohibition on misleading and deceptive conduct in the Australian Consumer law ("ACL") in schedule 2 of the Competition and Consumer Act 2010 (Cth).
For example, in April 2021, the ACCC succeeded in its enforcement action against Google LLC and Google Australia Pty Ltd in the Federal Court, where it was found that consumers had been misled about how users' personal location data was collected through mobile devices. In July 2023, two Meta subsidiaries (Facebook Israel and Onavo Inc) were also found to be liable for misleading consumers about how their data would be used. However, there are also instances of the ACCC being unsuccessful, which includes a separate proceedings against Google LLC that failed in 2022.
These activities, along with its role as the primary regulator of the CDR regime (see ”Rights to data portability” above), suggest that the ACCC is likely to have an increasing role in data regulation in Australia.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
The Spam Act 2003 (Cth) (the “Spam Act”) governs the sending of commercial electronic messages. Its key operative provisions came into force on 10 April 2004.
The Do Not Call Register Act 2006 (Cth) (the “DNCR Act”) and Do Not Call Register Regulations 2006 govern telemarketing and fax marketing. The operative sections of the DNCR Act took effect on 31 May 2007. The Telemarketing and Research Industry Standard 2007 and the Fax Marketing Industry Standard 2011 have also been implemented (from 31 May 2007 and 4 May 2011 respectively) and regulate telemarketing and fax marketing in addition to the DNCR Act.
Although APP 7 deals with direct marketing, the APPs do not apply to the extent that the DNCR Act or the Spam Act apply.
Both the Spam Act and the DNCR Act are regulated by the Australian Communications and Media Authority ("ACMA"). The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) expanded ACMA's existing rights to disclose information to specified federal agencies (including the ACCC) to any non-corporate federal entity if that information enables the authority to perform its functions.
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
The use of cookies is not specifically regulated in Australia. However, personal data collected via the use of cookies is subject to Australian privacy laws in the same manner as all other personal data. As part of its Privacy Act review, the Federal Government has agreed in-principle to amend the definition of personal information to capture technical inferred information when this information can be used to identify individuals. Whilst there is no indication as to whether cookies will be specifically included as a category of technical or inferred information, the data collected by cookies will likely be captured under the expanded definition of personal information.
Regulatory guidance on the use of cookies
Not applicable.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
The Spam Act requires that all “commercial electronic messages” identify the sender and, unless exempt, be sent with the consent of the recipient and include a functional unsubscribe mechanism.
The Spam Act regulates the sending of commercial electronic messages which have an “Australian link”, which is where: (i) the sending of the message was authorised by a data subject physically present in Australia when the message was sent; (ii) the organisation who sent the message is an organisation whose central management and control is in Australia when the message is sent; or (iii) the relevant electronic account-holder is a person who is physically present in Australia at the time the message is accessed or is an organisation that carries on business or activities in Australia at the time the message is accessed.
Conditions for direct marketing by e-mail to corporate subscribers
The Spam Act does not distinguish between individual and corporate recipients of commercial electronic messages.
Exemptions and other issues
Exemptions from the Spam Act requirements include certain messages authorised by government bodies, registered political parties, religious organisations and charities or charitable institutions, subject to certain conditions. By regulation, facsimile messages are also exempted from the Spam Act requirements. However, fax marketing activities may be covered by the DNCR Act (see below).
Commercial electronic messages may be sent where consent is obtained. Consent may be express or inferred from the conduct of the person and the business or other relationship between the sender and the person. In limited circumstances, consent may be inferred from publication of an e-mail address.
Civil penalties are among the remedies that may apply where an organisation has breached the Spam Act.
ACMA has listed, among others, combating SMS scams and enforcing spam unsubscribe rules as two of its key compliance priorities for 2023-24. Notable penalties issued by the ACMA in 2023 for breaches of the Spam Act include the A$2 million penalty against DoorDash Inc and the record A$3.5 million penalty against the Commonwealth Bank of Australia Ltd.
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
The DNCR Act establishes a compulsory Do Not Call Register (the “Register”) of telephone numbers belonging to individuals who have opted out of receiving telemarketing calls. Individuals are able to submit their Australian fixed line or domestic mobile telephone numbers to be recorded on the Register. With some exceptions, it is an offence to make an unsolicited telemarketing call to any registered number. For the purposes of the DNCR Act, “telemarketing call” is defined as a voice call (including recorded or synthetic voices) to a telephone number, where that telephone call is for a commercial purpose.
The DNCR Act allows organisations seeking to make or authorise telemarketing calls to submit a list of Australian telephone numbers to the ACMA for checking against the Register so as to identify and eliminate from that list the telephone numbers of those people who have listed their telephone number on the Register – a practice known as “washing”. A “washed” list may for a certain time be relied upon by the person submitting it as stating a list of telephone numbers to which telemarketing calls may be made without breaching the DNCR Act.
Telemarketing activities applying to numbers not entered on the Register or conducted by organisations not subject to the DNCR Act are governed by the Telemarketing and Research Industry Standard 2017 (the “TRCI Standard”). The TRCI Standard establishes minimum standards in relation to the hours and days that telemarketing and research calls are able to be made, the nature, purpose and source of telemarketing or research calls, the termination of telemarketing calls upon the request of the recipient and the provision of calling line information. The Telecommunications (Fax Marketing) Industry Standard 2021 sets out the minimum requirements for those sending marketing faxes to Australian numbers.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
An Australian number is eligible to be entered on the Register if it is: (i) used or maintained primarily for private or domestic purposes; (ii) used or maintained exclusively for transmitting and/or receiving faxes; (iii) used or maintained exclusively for use by a government body; or (iv) an emergency service number.
Telemarketing calls to corporate subscribers, unless they fall into one of the categories above, are therefore unlikely to be caught by the DNCR Act.
Exemptions and other issues
Exemptions from the DNCR Act requirements include calls authorised by government bodies, religious organisations and charities or charitable institutions, subject to certain conditions. However, such entities may be covered by the TRCI Standard when making specific types of telemarketing calls.
Telemarketing calls may be made to a telephone number which is registered on the Register if the relevant person has consented to receiving such calls. Consent may be express or inferred from the conduct of the person and the business or other relationship between the marketer and the person.
Remedies for breach of the DNCR Act include civil penalties and injunctions.
_____________________________________________________________________ Top